Over 90 malicious Android apps have been discovered on Google Play.

According to BGR , these malicious applications originate from malware called Anatsa (also known as TeaBot), a particularly dangerous banking malware that appears harmless upon initial installation but then downloads malicious code or a command and control (C2) server disguised as an app update. This allows the malware to evade detection on the Android app store.

In other words, the applications initially appear harmless. They trick many people into believing they are safe before proceeding to download malicious content disguised as legitimate app updates. Once the malware successfully infects the device and begins communicating with the C2 server, it scans the user's device for any installed banking applications.

If any information is found, it will send that information to the C2 server, which will then send back a fake login page to the detected applications. If a user falls for this trick and enters their login information, that information will be sent back to the server, at which point the hacker can use it to log into the victim's banking application and steal their money.

Two applications that Zscaler detected as infected with Anatsa include PDF Reader & File Manager and QR Reader & File Manager. Researchers say that Anatsa primarily targets applications from financial institutions in the UK, but also has victims in the US, Germany, Spain, Finland, South Korea, and Singapore. Despite this, experts advise users to be vigilant about the dangers regardless of where they live.

Although the researchers didn't share the identities of the Android apps infected with malware on the Google Play store, both apps shared in the example above are no longer available. It's possible Zscaler alerted Google about other apps.